webfreeeasy

vibecoded

tjctf

Task: Next.js App Router chat app using vulnerable React 19.x Server Components. Solution: Exploit CVE-2025-55182 (React2Shell) for RCE, then extract the flag from .env in git commit history.

$ ls tags/ techniques/

rce git_history nextjs flight_protocol react_server_components cve_2025_55182 env_leak

react2shell_rcegit_history_extractionenv_file_recovery

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

vibecoded — TJCTF 2026

Description

i vibe coded a website and told gpt to make it secure so there is nothing you can do now!!!

English summary: A Next.js App Router chat application ("yap") where users can register, login, and post messages. Built with React Server Components on React 19.x. The developer claims it was "vibe coded" (AI-generated) and secured by GPT. The goal is to find the flag hidden on the server.

Analysis

Application Architecture

Framework: Next.js 15.x with App Router (build ID: 5VGptBeLn4iPBWXBhhT5c)
Frontend: React Server Components with Flight protocol
Database: SQLite at /var/lib/yap/data.db
Auth: Unsigned cookie yap_user=<username> (HttpOnly, plain text)
Proxy: Go-based reverse proxy forwarding only GET/POST to /

Server Action IDs (from page source)

Login:    40cecd84ea8f6a2e4fc21505453351fd6313e28428
Register: 40ed6c0b53c7f99c3fa4946ff1d02a94a11906dcc9
Post yap: 401f68b86df260cd0037fbe5c9a5c671a3920b1f78
Logout:   000791216483786dde7eac56bee8877a5a2f9b928d

Pre-seeded Content

User 'zain' had a welcome message: "Welcome to the yap chat app! This is a pretty cool chat app 100% made by humans. Source: true me bro."

Vulnerability: CVE-2025-55182 (React2Shell)

The application uses a vulnerable version of React (19.0.0–19.2.x) with React Server Components. CVE-2025-55182 is a critical Remote Code Execution vulnerability that allows an attacker to execute arbitrary code on the server by sending specially crafted HTTP requests to Server Function endpoints via the RSC Flight protocol.

Related CVEs in the same family:

CVE-2025-55182 (Critical): Remote Code Execution via prototype chain traversal in Flight protocol
CVE-2025-55183 (Medium): Server Function Source Code Disclosure (toString() not overridden on Server References)
CVE-2025-55184 (High): Denial of Service via infinite loop

References:

React blog: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Next.js advisory: https://nextjs.org/blog/security-update-2025-12-11
GitHub Advisory: GHSA-w37m-7fhw-fmv9

Solution

Step 1: Identify the Vulnerable Stack

...

$ grep --similar

Similar writeups

[web][free]ReactOOPS— hackthebox
[misc][Pro]good-vibes— dicega
[web][Pro]Lanternfall— neurogrid
[web][Pro]Кошачья CVEтыня— bug-makers
[web][Pro]Lab 385 — SprintForge — Prototype Pollution to RCE via React Flight Protocol— hackadvisor